b'      REMARKS OF HAROLD W. GEISEL\n\n       INSPECTOR GENERAL (ACTING)\n\n\nU.S. DEPARTMENT OF STATE AND BROADCASTING\n\n          BOARD OF GOVERNORS\n\n              BEFORE THE\n\n          UNITED STATES SENATE\n\n       COMMITTEE ON THE JUDICIARY\n\n                    ON\n\nCONTROLS AND NOTIFICATION FOR ACCESS TO\n PASSPORT RECORDS IN THE DEPARTMENT OF\nSTATE\xe2\x80\x99S PASSPORT INFORMATION ELECTRONIC\n            RECORDS SYSTEM\n\n\n               JULY 10, 2008\n\x0c     Chairman Leahy, Ranking Member Specter, members\nof the Committee, thank you for inviting me to discuss with\nyou the privacy concerns reported in the results of our\nreview of controls over access to passport records in the\nDepartment of State\xe2\x80\x99s Passport Information Electronic\nRecords System or PIERS system. The full report has been\nprovided to the Committee.\n\n\n     In March 2008, media reports surfaced that the\npassport files maintained by the Department of State\n(Department) of three U.S. Senators, who were also\npresidential candidates, had been improperly accessed by\nDepartment employees and contract staff. On March 21,\n2008, the Office of Inspector General, Office of Audits,\ninitiated a limited review of Bureau of Consular Affairs\ncontrols over access to passport records, and issued the\nfinal report one week ago, on July 2, 2008. The OIG made\n22 recommendations to address the control weaknesses and\nthe Department concurred with 19 of them, partially agreed\nwith one and did not agree with two recommendations.\n\x0c     OIG found many control weaknesses\xe2\x80\x94including a\ngeneral lack of policies, procedures, guidance, and\ntraining\xe2\x80\x94relating to the prevention and detection of\nunauthorized access to passport and applicant information\nand the subsequent response and disciplinary processes\nwhen a potential unauthorized access is substantiated.\n\n\n     As of April 2008, PIERS contained records on about\n192 million passports for about 127 million passport holders.\nThese records include personally identifiable information or\nP-I-I , as it is known, such as the applicant\xe2\x80\x99s name, gender,\nsocial security number, date and place of birth, and passport\nnumber. PIERS also contains additional information, such\nas previous names used by the applicant, citizenship status\nof the applicant\xe2\x80\x99s parents or spouse, and scanned images of\npassport photos. PIERS offers users the ability to query\ninformation pertaining to passports and vital records, as well\nas to view and print original copies of the associated\ndocuments. As a result, PIERS records are protected from\nrelease by the Privacy Act of 1974. Unauthorized access to\nPIERS records may also constitute a violation of the\nComputer Fraud and Abuse Act (18 U.S.C. \xc2\xa7 1030).\n\x0c     At the time of the publicized breaches, neither Consular\nAffairs nor the Department had implemented breach\nnotification policies, procedures, or other criteria for reporting\nincidents of unauthorized access of passport records when\nthey were detected. However, between March and May\n2008, Consular Affairs and the Bureau of Administration took\na number of corrective actions, including issuing interim\nguidance on the various steps to be followed and decisions\nto be made in response to a potential incident of\nunauthorized access to passport records and applicant\npersonally identifiable information, and a Department-wide\nP-I-I breach response policy.\n\n\n     While these immediate actions taken are\ncommendable, OIG has recommended that the Department\nconduct the necessary vulnerability and risk assessments of\nall passport systems given the weaknesses and data\nvulnerabilities identified in this limited review of PIERS.\nAccordingly, OIG believes that the Department should make\nresources available to conduct the assessments as quickly\nas possible.\n\x0c     OIG also recommended that CA ensure the accuracy of\nits Privacy Impact Assessments for PIERS and for all other\npassport systems to accurately reflect security controls for\nand risks to personally identifiable information.\n\n\n     I would like to introduce Mr. Mark W. Duda, Assistant\nInspector General for Audits, who led this review and will\nprovide a summary of the findings.\n\n\n     Thank you for the opportunity to present this timely\ninformation to you today. Following Mr. Duda\xe2\x80\x99s remarks, we\nwould be happy to answer any questions you may have.\n\x0c'